Rails sends a couple of new security HTTP headers by default so you should probably know what they do. There are also a few additional ones, but they require a bit more configuration and thought. The default headers X-Frame-Options 'SAMEORIGIN' is sent by default. It means another website can only include this website in an iframe if it’s from the same origin. Allowed values are SAMEORIGIN, DENY a